Possible new feature?
Posted: Fri Feb 21, 2003 9:42 pm
I saw some mention of MD5 and SHA hashes which seemed to be an attempt to do Tripwire on the fly... which I understand would be resource intensive.
However, after reading about MS'es Palladium ideas, I still like the idea of signing binaries as a way of stopping hackers from tampering.
I haven't thought this completely out, but I wanted to see if this is workable...
I am imagining a binary signing system that uses a private key made from some bit of information built into the hardware which is not available to the typical user, like a CPU serial number or that ID Intel put on systems a few years ago to track identities. In order for an ELF binary to run, it must have to have a valid public key related to the executable's checksum. All runnable binaries would have to be generated by a specially patched linker... and obviously only root would be able to run the linker. In order to initially create all the binaries on the system, the user would have to boot a special kernel.
I'm thinking this would be less resource intensive and more secure, as there is no database of keys that are vulnerable. Sure, it would be possible to brute force the private key, but it would require building alot of dummy executibles and trying to run them, slowing the malicous and alerting the sysadmins.
I'm probably overlooking something simple, but I'd like to hear feedback on the pros and cons... and if this is beyond the scope of GRSecurity.
However, after reading about MS'es Palladium ideas, I still like the idea of signing binaries as a way of stopping hackers from tampering.
I haven't thought this completely out, but I wanted to see if this is workable...
I am imagining a binary signing system that uses a private key made from some bit of information built into the hardware which is not available to the typical user, like a CPU serial number or that ID Intel put on systems a few years ago to track identities. In order for an ELF binary to run, it must have to have a valid public key related to the executable's checksum. All runnable binaries would have to be generated by a specially patched linker... and obviously only root would be able to run the linker. In order to initially create all the binaries on the system, the user would have to boot a special kernel.
I'm thinking this would be less resource intensive and more secure, as there is no database of keys that are vulnerable. Sure, it would be possible to brute force the private key, but it would require building alot of dummy executibles and trying to run them, slowing the malicous and alerting the sysadmins.
I'm probably overlooking something simple, but I'd like to hear feedback on the pros and cons... and if this is beyond the scope of GRSecurity.